When calling the latest (version 2020-01-01) azure tenants api (management.azure.com/tenants) I don't see the same properties in the response as I get when using the "Try it" feature on the "Tenants - List" page in the online Azure REST documentation.
The response that I get only contains the "id", "tenantId" and "tenantCategory" properties. So the cool stuff like countryCode, domains, displayName, etc. are missing. I was using an older api version before which only included the "id" and "tenantId" properties so I do see the additional "tenantCategory" property at least.
When calling the 2020-01-01 version of the subscriptions list API in my code I do get all the same properties that I see when I use the "Try it" feature.
Has anyone else experienced this issue or know what could be the cause?
Thanks in advance!
I tried with https://management.azure.com/tenants?api-version=2020-01-01 in Try it, it returned the properties. Try to use 2020-05-01, 2020-06-01 or 2020-07-01 versions. They all worked for me.
When using Postman to call the API:
So it turns out that if you request the token under user context and use that as bearer token in the authorization header of the API call you get all the properties in the response, i.e. the same properties as you see when using the "Try it" feature online. But in my app I'm requesting it under the application context and then the expected behaviour is to only return the "id", "tenantId" and "tenantCategory" properties. So the tenants api is a bit different than the others and it's supposed to be that way.
Related
I have followed the instructions in this example:
https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/using-csom-for-dotnet-standard
And can connect fine :-) using grant_type=password, username and password
However i want to connect using client id and client secret...
I have set these up in AzureAD
i have added the permissions:
i have exposed the api
this is the body of my request
at this point in the code i actually receive the token
but here it fails with a 401
i wonder if someone has an example of this working?
I have also tried this https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
and i can get it working, whoever according to the documentation this has been retired on November 7, 2018.
I not sure what auth method it uses or how to identify the auth method.
If this registration is only used for SharePoint, you do not need to expose an API.
You don't need scope. You will need to pass in the 'client_id' and 'resource' like below and it will look something similar to this for getting a token to make a call to SharePoint:
client_id: [appRegistrationClientId]#[tenantid]
Resource: 00000003-0000-0ff1-ce00-000000000000/[tenant].sharepoint.com#[tenant-id]
This will help too: https://anexinet.com/blog/getting-an-access-token-for-sharepoint-online/
I am trying to use List SignIns API to get a list of sign-ins for my Service Principal however the API is not returning any results when I try to filter the results by Service Principal id and/or Service Principal Application Id. If I remove the filter, I am able to get the data.
Essentially I am trying to get the data shown in Azure Portal as shown in the screenshot below.
I have tried both Graph Explorer as well as Microsoft.Graph SDK (C#) and in both places I am not getting any result back.
Things I tried:
In Graph Explorer, I tried the following request URL: https://graph.microsoft.com/1.0/auditLogs/signIns?$filter=id eq 'my-service-principal-id' and that did not give any results back.
I even tried https://graph.microsoft.com/beta/auditLogs/signIns?$filter=appId eq 'my-application-id' and still no results.
I tried with both beta and 1.0 version numbers and same results.
I checked the Azure Portal network request in browser and noticed that instead of using graph.microsoft.com, it is using graph.windows.net and is sending the following request:
https://graph.windows.net/tenant-id/activities/getSummarizedServicePrincipalSignIns(aggregationWindow='1d')?$filter=(createdDateTime ge 2021-04-21T13:03:32.608Z and createdDateTime lt 2021-04-28T13:03:32.608Z and (appId eq 'my-application-id' or contains(tolower(appDisplayName), 'my-application-id')))&$top=50&$orderby=createdDateTime desc&source=kds
I also read the documentation for List SignIns API and following caught my eye:
Retrieve the Azure AD user sign-ins for your tenant. Sign-ins that are
interactive in nature (where a username/password is passed as part of
auth token) and successful federated sign-ins are currently included
in the sign-in logs.
I am not sure if what I am trying to accomplish is even possible with Graph API considering I am not getting any results back and Azure Portal is not even using Graph API to get this data.
Any insights into this will be highly appreciated.
This is possible using the 'beta' endpoint - but at this point it only seems to include 'interactive' sign-ins by default. If you add a filter on signInEventTypes it can return other types too:
So for 'User sign-ins (non-interactive)':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'nonInteractiveUser')
For 'Service principal sign-ins':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'servicePrincipal')
For 'Managed identity sign-ins':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'managedIdentity')
For all sign ins (let me know if there's a more concise way!
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'interactiveUser' or t eq 'nonInteractiveUser' or t eq 'servicePrincipal' or t eq 'managedIdentity')
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#return-log-data-with-microsoft-graph
Beta API has ServicePrincipalId and ServicePrincipalName, you can filter based on these attributes. This link lists the supported Attributes in $filter. This API supports $filter, $skiptoken and $Top.How ever do note Beta API are subjected to change.
https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http#attributes-supported-by-filter-parameter
Here's a blog about graph.windows.net and graph.microsoft.com
https://developer.microsoft.com/en-us/identity/blogs/microsoft-graph-or-azure-ad-graph/
I'm trying to request the contents of a Google doc (that I own) using the Google Docs API and the contents would be read to a website. I'm making the following request in Postman:
GET https://docs.googleapis.com/v1/documents/{documentId}?key=API_KEY
where the API_KEY is a key created in Google developer dashboard and is not restricted for now. However, I'm getting the following error:
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"status": "UNAUTHENTICATED"
}
}
I have made the doc public (read-access without signing in) and enabled the Docs API in the Google developer dashboard. Further, the dashboard is registering these (failing) requests, so something is going through.The answer is probably in the error message, but to me "or other valid authentication credential" means the API key that I'm already using.
I'm asking for advice on how to make this request successfully without needing to use OAuth or server-side code.
I found a workaround answer to my problem, although it didn't solve the problem with the Docs API. I decided to request the text data from a Google Sheet instead, which works fine with
GET https://sheets.googleapis.com/v4/spreadsheets/documentId?key=API_KEY
when the sheet is public and read-only.
Yes you can open the doc programatically using a service account. You need to "share" the doc with the service account email.
Instructions on creating a service account and reading a Google doc: https://www.futurice.com/blog/read-goog-doc-using-service-account
I am trying to get and analyze data from office 365 resource room booking data, for that I am using graph API to find meeting times,
https://graph.microsoft.com/v1.0/me/findMeetingTimes ,
this query perfectly working on Microsoft graph explorer after given permissions to calendar.ReadWrite and calendar.ReadWrite.Shared, but this is not working through api call in SharePoint page and postman test with same permissions given in azure WEB API.
it is returning below error
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "90f335e7-1955-48c2-a9e9-300ea232e181",
"date": "2018-10-26T07:47:13"
}
}
}
If any suggestion appreciated.
I'm assuming you are using the MSGraphClient inside of SPFx, it is using the delegated permissions (not app permissions as per the comment in this thread). Can you confirm you are using this? https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-msgraph
This api (https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_findmeetingtimes) requires "Calendars.Read.Shared, Calendars.ReadWrite.Shared" as you stated.
You would need to add additional permissions for this api call to work. As you only get User.Read.All for SPFx with MSGraphClient. This is documented here https://learn.microsoft.com/en-us/sharepoint/dev/spfx/use-aadhttpclient
From your provided request Id, I can see that your request had these scopes, which is missing the Calendars.Read.Shared permissions scope.
"Mail.ReadWrite","User.ReadWrite.All","Calendars.Read","People.Read.All","Group.Read.All","Directory.ReadWrite.All","MailboxSettings.Read","Contacts.ReadWrite","Group.ReadWrite.All","Sites.Manage.All","User.Invite.All","Files.ReadWrite.All","Directory.Read.All","User.Read.All","Files.Read.All","Mail.Read","Calendars.ReadWrite","Mail.Send","MailboxSettings.ReadWrite","Contacts.Read","Sites.FullControl.All","Reports.Read.All"
Look into the permissions of findMeetingTimes. You mode of authentication could be the root cause. For me I was tryint to use Application mode and this is not supported in this API.
I used and alternative api, /calendar/getSchedule to achieve this. If you login as your userid use ME option or use application mode login to login and use {id|userPrincipalName} to get calendar details for any meeting room.
Refer: https://learn.microsoft.com/en-us/graph/api/calendar-getschedule?view=graph-rest-1.0&tabs=http
Graph API Explorer link below provides the basics on how to login and got good examples for Graph to begin with.
https://developer.microsoft.com/en-us/graph/graph-explorer
I'm trying to make a POST request to Azure AD GraphAPI to create a user in my AD B2C tenant, but I'm getting the following error
"Error Calling the Graph API:
{
"odata.error": {"code": "Request_DataContractVersionMissing",
"message": {"lang": "en",
"value": "The specified api-version is invalid. The value must exactly match a supported version"}
}
I do send the version, and based on the docs it is supported.
Version 1.6
This section lists the changes for Graph API version 1.6.
Graph API version 1.6 introduces the following feature changes:
Added support for Azure Active Directory B2C local account users. This involves new properties on the User entity and a new complex type
SignInName to support local account sign-in to Azure Active Directory
B2C tenants. For more information about Azure Active Directory B2C,
see the Azure Active Directory B2C documentation.
[Edit]
submitted json
{"accountEnabled":true,"signInNames":[{"type":"userName","value":"ausername"}],"creationType":"LocalAccount","displayName":"A display name","passwordProfile":{"password":"a password","forceChangePasswordNextLogin":true},"passwordPolicies":"policies","country":"MX","givenName":"Fstname","surename":"Lstname","department":"Dpt","jobTitle":"Title","mail":"mail#server.com","otherMails":[],"preferredLanguage":"es-MX"}
Any clue on why I'm getting the error?
There is something wrong with the api-version query parameter: Request_DataContractVersionMissing
Data contract version parameter is missing. Include api-version as a query parameter with all your requests.
Doesn't Work
https://graph.windows.net/ebenefitsdev.onmicrosoft.com/users?apiāversion=1.6
I get Request_DataContractVersionMissing error when submitting that.
Does Work
https://graph.windows.net/ebenefitsdev.onmicrosoft.com/users?api-version=1.6
The difference is the hyphen char. One is the 'normal' one I typed on my keyboard. The other is from here.
I suspect it is a copy paste problem (I've experienced these in the past).
I see one problem: signInNames not signInName
Documentation for user entity
For future readers, I ran into this issue with 2.0 of graph.windows.net, but it was not the hyphen. It seems this error is also shown if the client ID you used to get a resource token for graph.windows.net is not correct.